Security news that informs and inspires

Microsoft Patches Windows CLFS Zero Day

Microsoft has patched nearly 100 separate vulnerabilities in its April Patch Tuesday release, including one bug that is under active attack at the moment and affects many versions of Windows and Windows Server.

The vulnerability (CVE-2023-28252) is a privilege escalation flaw in the common log file system driver in Windows and an attacker who has privileges on the system already would be able to gain high-level access to the machine.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the Microsoft advisory says.

Although the vulnerability is classified as important rather than critical, the attack complexity is low and there is working exploit code available, which raises the stakes considerably. The flaw affects Windows 10, Windows 11, and several versions of Windows Server.

This vulnerability is quite similar to one (CVE-2023-23376) that Microsoft fixed in February in the same component. That bug also is an elevation of privilege and also had been exploited in the wild at the time it was patched.

“To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware. Definitely test and deploy this patch quickly,” said Dustin Childs of the Zero Day Initiative.

Among the other interesting bugs Microsoft fixed this month is a patch for a bug from 2013 that had been optional in the past. The patch addresses a vulnerability that the threat actor in the 3CX intrusion exploited.

“A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Microsoft advisory says.